https://bugs.freedesktop.org/show_bug.cgi?id=78820
Robinson Tryon (qubit) <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #2 from Robinson Tryon (qubit) <[email protected]> --- TESTING with LO 4.5 (In reply to Alexios Zavras (zvr) from comment #0) > When digitally signing a document, the user is presented with a list of > certificates to choose from. This list should not contain certificates that > have an express purpose of encryption (not signing). Sounds reasonable. Let's test. Repro Steps: - Make a certificate (valid for 2 days for example.com) Okay, gotta dig deep into the system for this one (why can't there just be a flag, openssl? *shakes head*) Backup /etc/ssl/openssl.cnf to /etc/ssl/openssl.cnf.bk (that'll make cleanup much easier) Now edit the original file. Find the entry for "keyUsage = " under the section "[ v3_req ]" and replace it with: keyUsage = nonRepudiation, digitalSignature, keyEncipherment Get out of /etc and into a test directory for the keys (I used /home/qubit/scratch/libreoffice/bugs/78820/) Generate the key that has signing capabilities: openssl req \ -x509 -nodes -days 2 \ -subj '/C=US/ST=Montana/L=Butte/CN=www.example-SIGN.com' \ -extensions v3_req \ -newkey rsa:2048 -keyout testcert_sign_fdo78820.pem \ -out testcert_sign_fdo78820.pem openssl pkcs12 -export -out testcert_sign_fdo78820.p12 \ -in testcert_sign_fdo78820.pem \ -name "Test Cert w/SIGNING fdo#78820" Generate the key that does NOT have signing capabilities: Edit /etc/ssl/openssl.cnf again and change the key usage line to: keyUsage = nonRepudiation, keyEncipherment Then back to the test directory: openssl req \ -x509 -nodes -days 2 \ -subj '/C=US/ST=Montana/L=Butte/CN=www.example-NOSIGN.com' \ -extensions v3_req \ -newkey rsa:2048 -keyout testcert_nosign_fdo78820.pem \ -out testcert_nosign_fdo78820.pem openssl pkcs12 -export -out testcert_nosign_fdo78820.p12 \ -in testcert_nosign_fdo78820.pem \ -name "Test Cert WITHOUT signing fdo#78820" Finally, restore the initial state of OpenSSL config by copying /etc/ssl/openssl.cnf.bk to /etc/ssl/openssl.cnf You can verify that the right values made it into the cert using something like this: openssl x509 -text -noout -in testcert_nosign_fdo78820.pem|grep -A1 'Key Usage' Some useful tips here as well: http://www.mytidbitz.com/?p=109 Okay, now we need to jam the certs into Firefox. - Use the GUI https://help.libreoffice.org/Common/Applying_Digital_Signatures#Managing_your_Certificates The instructions are a little out of date (bug 87313 is filed :-). I wasn't sure how to "edit the certificate. Enable the root certificate to be trusted at least for web and email access." Alexios: How did you get your certificates working? - I did find a command-line tool (not sure if that's applicable): pk12util -d /home/<username>/.mozilla/firefox/<some randomish-looking-chars>.default/ -i your-cert.p12 -- You are receiving this mail because: You are the assignee for the bug.
_______________________________________________ Libreoffice-bugs mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
